Using a Custom Kerberos Keytab Retrieval Script

The Cloudera Manager Kerberos setup procedure requires you to create an
administrator account for the Cloudera Manager user. Cloudera Manager then connects to your KDC and uses this admin account to generate principals and keytabs for the remaining CDH services. If for
some reason, you cannot create a Cloudera Manager administrator account on your KDC with the privileges to create other principals and keytabs for CDH services, then these will need to be created
manually.

Cloudera Manager gives you the option to use a custom script to retrieve keytabs from the local filesystem. To use a custom Kerberos keytab retrieval script:

The KDC administrators should create the required principals and keytabs, and store them securely on the Cloudera Manager Server host.

Create the keytab retrieval script. Your script should take two arguments: a full principal name for which it should retrieve a keytab, and a destination to which it can write the
keytab. The script must be executable by the Cloudera Manager admin user, cloudera-scm. Depending on the principal name input by Cloudera Manager, the script should
locate the corresponding keytab on the Cloudera Manager Server host (stored in step 1), and copy it into a location accessible to the cloudera-scm user. Here is a
simple example:

Note that the script will change according to the keytab naming convention followed by your organization.

Configure the location for the script in Cloudera Manager:

Go to the Cloudera Manager Admin console.

Select Administration > Settings.

Select Category > Kerberos.

Locate the Custom Kerberos Keytab Retrieval Script and set it to point to the script created in step 2.

Click Save Changes to commit the changes.

Once the Custom Kerberos Keytab Retrieval Script property is set, whenever Cloudera Manager needs a keytab, it will ignore all other Kerberos
configuration and run the keytab retrieval script to copy the required keytab to the desired destination.

Cloudera Manager can now distribute the keytab to the services that need access to it.
Note: The Cloudera Navigator web server accesses HDFS and Hue using the keytabs corresponding to those principals; however the custom script does
not move these additional keytabs to the Navigator Metadata Server. To complete the setup for Navigator, move keytabs for HDFS and Hue principals to the Navigator home directory on the Navigator
Metadata Server host manually (typically /var/lib/cloudera-scm-navigator).

If this documentation includes code, including but not limited to, code examples, Cloudera makes this available to you under the terms of the Apache License, Version 2.0, including any required
notices. A copy of the Apache License Version 2.0 can be found here.